mattias: one change= caller id to be done in background; try to get on irc and tell nick who you are

17:04:07 [rvaneijk]

Hi, I will not be able to attend the call unfortunately..

17:04:09 [Zakim]

+Chris_Pedigo

17:04:12 [eberkower]

aavv=eberkower

17:04:15 [npdoty]

Regrets+ rvaneijk

17:04:21 [David]

David has joined #dnt

17:04:21 [ChrisPedigo_OPA]

ChrisPedigo_OPA has joined #dnt

17:04:23 [npdoty]

Zakim, aavv is eberkower

17:04:23 [Zakim]

+eberkower; got it

17:04:26 [susanisrael]

mattias: welcome-looking forward to a couple productive months to finish both specs

17:04:31 [WileyS]

WileyS has joined #dnt

17:04:39 [rvaneijk]

Success !

17:04:46 [susanisrael]

mattias: had productive 2012, identified issue, shouldn't be a big deal finishing this year

17:04:48 [Zakim]

+[Microsoft]

17:04:52 [BillScannell]

BillScannell has joined #dnt

17:05:01 [Lia]

Lia has joined #dnt

17:05:02 [npdoty]

agenda+ Action items

17:05:05 [Zakim]

+ +1.310.392.aayy

17:05:09 [npdoty]

agenda+ Revised exceptions approach

17:05:09 [aleecia]

Zakim, agenda?

17:05:10 [Zakim]

I see 3 items remaining on the agenda:

17:05:10 [Zakim]

1. Next steps for compliance [from npdoty]

17:05:10 [Zakim]

2. Action items [from npdoty]

17:05:10 [Zakim]

3. Revised exceptions approach [from npdoty]

17:05:11 [susanisrael]

....peter would like to spend a couple min on compliance doc then i will discuss tpe. comments on agenda?

17:05:18 [npdoty]

agenda+ multiple first parties

17:05:22 [Zakim]

+ +1.408.349.aazz

17:05:24 [bryan]

bryan has joined #dnt

17:05:26 [npdoty]

agenda+ updates to JS API

17:05:34 [npdoty]

agenda+ Service Providers

17:05:42 [johnsimpson]

zakim, 310.292,aayy is johnsimpson

17:05:42 [Zakim]

sorry, johnsimpson, I do not recognize a party named '310.292,aayy'

17:05:43 [npdoty]

agenda+ Pending Review

17:05:47 [npdoty]

agenda+ Open issues

17:05:47 [Zakim]

+Peder_Magee

17:05:51 [susanisrael]

Peter Swire: Happy new year. I will talk for a while to give people background of what will happen next week. ....

17:05:56 [npdoty]

Zakim, aayy is johnsimpson

17:05:56 [Zakim]

+johnsimpson; got it

17:06:02 [susanisrael]

...my goal is to be inclusive.

17:06:09 [johnsimpson]

zakim, 310.392.aayy is johnsimpson

17:06:10 [Zakim]

sorry, johnsimpson, I do not recognize a party named '310.392.aayy'

17:06:13 [pedermagee]

pedermagee has joined #dnt

17:06:25 [justin_]

zakim, aayy is johnsimpson

17:06:25 [Zakim]

sorry, justin_, I do not recognize a party named 'aayy'

17:06:38 [susanisrael]

Wanted to get to know as many stakeholders as possible. IN those conversations was trying to identify a path forward. More than 30 meetings so far.

17:07:24 [susanisrael]

Peter: have responded to all messages and have told people when I would be in various cities. want to build confidence and get to know people. If i have not responded to you I apologize

17:07:35 [susanisrael]

ping me again if you want and we'll try to have a good discusison.

17:07:37 [tedleung]

tedleung has joined #dnt

17:08:17 [susanisrael]

Peter: in those meetings the area of de-identification or de-linking seemed quite promising. another topic was default settings and I don't expect to address that soon. But ,,,,

17:08:33 [Zakim]

+ +1.206.664.bbaa

17:08:45 [tedleung]

zakim bbaa is tedleung

17:08:56 [susanisrael]

de-identification is an area where people of different views think it would be helpful to work on this. advertising industry says they don't use pii and ngo's/advocates also interested.

17:08:58 [npdoty]

Zakim, bbaa is tedleung

17:08:58 [Zakim]

+tedleung; got it

17:09:35 [susanisrael]

It's important on compliance side. If it's not linked, you are not tracked, roughly speaking. So working on de-identification is somewhat like defining what tracking is. Not exact, but similar....

17:09:37 [Chris_IAB]

Zakim, Lou Mastria from DAA is here too, on the same line

17:09:37 [Zakim]

I don't understand you, Chris_IAB

17:09:53 [susanisrael]

so not surprising that what counts as not tracked/de-identified will be important.

17:10:21 [ifette]

ifette has joined #dnt

17:10:24 [kj]

kj has joined #dnt

17:10:47 [susanisrael]

peter: there may some win-wins that can happen here. de-linking may improve privacy but permit better utility for data. Could see wins for people who want to use data and people who don't want to be identified.

17:10:53 [ifette]

i get a busy signal when trying to call in

17:11:08 [ifette]

(3x)

17:11:13 [susanisrael]

turns out to be related to permissible uses.

17:11:18 [bryan]

i cant dial in either

17:11:55 [susanisrael]

peter: with that as background we can see why this set of issues is important and will have to be addressed in any spec.seems a necessary step to any eventual standard

peter: beyond that these issues of de-identifiication are important in their own right. have been the focus of a lot of attention--in uk and through hhs in us, and canada on healthcare side has done work on this

peter: a lot of technical people who have done good work on this turn out to be in the w3c process. It may be we have some meetings and do work on this, produce some white papers for people working on this.

17:13:41 [David]

Zakim, DAvid is David_MacMillan

17:13:41 [Zakim]

sorry, David, I do not recognize a party named 'DAvid'

17:13:45 [susanisrael]

this is an area where policy makers have been confused, debates contentious, maybe we can help

17:13:47 [David]

Zakim, David is David_MacMillan

17:13:47 [Zakim]

sorry, David, I do not recognize a party named 'David'

17:13:55 [susanisrael]

peter: if good work to do here, what is our path?

17:14:19 [David]

Zakim, +1.650.465.aaxx is DAvid

17:14:19 [Zakim]

+DAvid; got it

17:14:34 [susanisrael]

peter: there was a sense, in meetings that one challenge is that people some times talk past each other, use different definitions, have different threat models, don't have common vocabulary

17:15:06 [susanisrael]

peter: so this sort of technical descriptive side seems to be something where it s positive to get conversation moving.

17:15:25 [Zakim]

+Bryan_Sullivan

17:15:30 [npdoty]

if you're calling in from one of these numbers, please identify via IRC: +1.202.331.aall, +1.202.639.aarr, +1.202.296.aass, +1.408.349.aazz

17:16:11 [susanisrael]

peter: one goal i had was to make sure i had some good technical folks from different perspectives working on this, for example, EFF, and Ed Felten. IAB chris, david wainberg will be there in person, with shane wiley on phone

17:16:39 [Zakim]

+[Google]

17:16:44 [jchester2]

Peter: You should have presented this first to the entire group, explain your plan then move forward. That it would make it legitimate. Instead of cherry-picking people.

17:16:46 [susanisrael]

not intended to exclude others, but wanted to make sure we have the key people in the room. This weekend got enough yeses to make sure we have range of views in room to make this worthwhile.

17:16:47 [ifette]

Zakim, Google has ifette

17:16:47 [Zakim]

+ifette; got it

17:17:39 [susanisrael]

peter: Khalid El Ahmid phd with book on subject will be in dc on that date, and morning of 17th avoids conflict with NTIA that afternoon. CDT will host. 9-12:30/12:45 EDT

17:17:57 [ifette]

Is this a short notice f2f? Sorry, just dialing in now...

17:18:02 [aleecia]

6 am pacific. Spiffy

17:18:09 [npdoty]

if you're calling in from one of these Washington DC numbers, please identify: +1.202.331.aall, +1.202.639.aarr, +1.202.296.aass

17:18:39 [susanisrael]

peter: we will scribe and have call in and open invitation for people to come physically. room holds 30-35 maybe 40. If you want to come pls send email to yanni lagos ylagos@futureofprivacy.org.

17:18:49 [bryan]

we will attend remotely

17:19:24 [susanisrael]

peter: that's just to get a sense of the numbers. IF too many will figure out a good way to proceed. Maybe limit it to 1 person/organization, but may try other things.

17:20:08 [ifette]

Object to the flurry of short-notice meetings here...

17:20:21 [susanisrael]

peter: separately, have been working with thomas roessler about meeting in brussels when i am there jan 23-35. Not grand meeting for decisions, maybe tech meeting on de-identification. include people who will be in brussels then for dpdp or otherwise.

17:20:23 [aleecia]

So Ian was not deemed a technical expert?

17:20:56 [susanisrael]

peter: this is an informal auxiliary meeting so does not need 8 weeks notice, but will try to have a call.

17:21:15 [susanisrael]

peter: now lets talk about how i think 17th meeting will go.

17:21:56 [susanisrael]

peter: for meeting on 17th, ground rules would be to focus on descriptive discussions. focus on what de-identification is, how it works.

17:22:09 [schunter]

Zakim, unmute me

17:22:09 [Zakim]

schunter should no longer be muted

17:22:14 [susanisrael]

peter: i will consider it out of order to discuss what w3c standard should include

17:22:19 [Keith]

Keith has left #dnt

17:22:32 [susanisrael]

peter: this is intended to be technical clearing of brush around technical issues.

17:22:57 [susanisrael]

mattias: quick question. so do i understand that prupose is to make tech proposals but not put anything in spec?

17:22:59 [fielding]

aleecia, apparently neither am I

17:23:23 [Joanne]

is this meeting to work through different technical use cases?

17:23:27 [Keith]

Keith has joined #dnt

17:23:39 [susanisrael]

peter: even more careful than that. having watched debate, it's not right now to draft tech specs but a step prior to that --getting understanding of common vocabulary/use cases.

17:23:53 [BillScannell]

The 17th will be a great trust-building exercise.

17:23:59 [aleecia]

Well, I guess Google and Adobe are small players :-) I'm sure this will all work out differently next time.

17:24:10 [ifette]

am I the only one who finds the irony of proposing to have the tech meeting in Europe when many of our technical participants (most browse participants, roy, etc) are in the US?

17:24:13 [susanisrael]

peter: ability of people to talk past each other in this area is great, but there is more agreement than it seems

17:24:36 [ifette]

s/browse/browser/

17:24:37 [npdoty]

I think peter's suggestion was not that he found a time that worked with all technical experts, but that there was some minimum that were available, and so it would be useful to have them meet

17:24:46 [Keith]

202.296.1883 is Keith Scarborough with ANA

17:24:59 [ifette]

nick, with a small subset not including any of the browsers i'd be surprised if we saved any time

17:24:59 [susanisrael]

peter: thought would be this is a step towards face to face in mid february. i don't have text or extra pieces in my own mind. when we hvae quality people talking about de-identification we can move toward tech drafting

joanne: iwill need a little bit of...actually thought we closed this bc fine with language in current draft of tpe

17:38:29 [susanisrael]

mattias: ok.

17:39:22 [susanisrael]

mattias: next one is 342. on me. ask for objections to new ex ception model. i will mark this as closed bc will discuss new model in a min. does not mean we agree just doesn't make sense to discuss now

17:39:31 [susanisrael]

mattias: on david action 345.

17:39:54 [npdoty]

apologies, I have responding to dsinger on my to-do list

17:40:03 [npdoty]

action-345?

17:40:03 [trackbot]

ACTION-345 -- David Singer to condense non-norm examples on non-JS third parties and integrate into spec -- due 2012-12-12 -- PENDINGREVIEW

dwainberg: i did spend time on this but was a while ago. if we could push another week, i will review notes and follow up

17:41:53 [susanisrael]

mattias: ok so i think this is all the tpe related actions

17:42:04 [npdoty]

Zakim, take up agendum 3

17:42:04 [Zakim]

agendum 3. "Revised exceptions approach" taken up [from npdoty]

17:42:44 [susanisrael]

mattias: revised approach on exeptions. david has integrated into text. browser responsible for getting user preference than puts in browser for storage and may check with user if it wants

17:43:06 [schunter]

q?

17:43:07 [npdoty]

Zakim, drop aall

17:43:07 [Zakim]

+1.202.331.aall is being disconnected

17:43:07 [adrianba]

q+

17:43:08 [ifette]

link?

17:43:09 [Zakim]

- +1.202.331.aall

17:43:12 [npdoty]

Zakim, drop aarr

17:43:12 [Zakim]

+1.202.639.aarr is being disconnected

17:43:12 [ifette]

to what david put in?

17:43:14 [Zakim]

- +1.202.639.aarr

17:43:17 [schunter]

ack adrianba

17:43:18 [susanisrael]

mattias: so push for later, david said we need addtional functionality and on agenda item 5 we need feedback on what david put in spec

17:43:53 [ifette]

can we get a link to the specific changed text?

17:43:57 [npdoty]

q+ to note that it's good that there are no UI requirements (but sync/async)

17:44:01 [efelten]

efelten has joined #dnt

17:44:03 [efelten]

efelten has left #dnt

17:44:06 [Zakim]

-[Microsoft]

17:44:23 [susanisrael]

adrianba: i think i mentioned before but 3 points on which i have feedback. 1. need api to be able to understand whether exception granted....important bc asking owner of site to be responsible for informed consent....

...they need to know if they must ask or have already asked and been granted exception

17:44:43 [Zakim]

+[Microsoft]

17:44:51 [Zakim]

+ +1.202.639.bbbb

17:45:01 [susanisrael]

* cab someone else take over scribing for a while?

17:45:09 [npdoty]

scribenick: npdoty

17:45:16 [susanisrael]

adrianba: 2nd point re subdomains

17:45:23 [npdoty]

adrian: regarding subdomains, implicit parameter of the current document origin

17:45:25 [susanisrael]

*thanks nick

17:45:41 [npdoty]

adrianba: as much as I'd like that we wouldn't have to deal with subdomains, I think we will have to

17:45:48 [npdoty]

... have to deal with subdomains

17:45:58 [susanisrael]

npdoty: if you want me to take it back after a while i can scribe again after a few min

17:46:00 [npdoty]

... common out-of-band mechanism would be a cookie, which can be stored across sub-domains

17:46:30 [WileyS]

Exceptions persistence is preferred as it is at parity with the persistence of the DNT signal

17:46:32 [npdoty]

... if we don't have that capability for the exception API, then either sites will have to use both, or choose between them

17:46:55 [npdoty]

... making the exception API work in exactly the same way as cookies is going to be necessary

17:46:55 [aleecia]

Full domain will inadvertently pull in some third parties

17:47:10 [WileyS]

Aleecia - do you have examples?

17:47:13 [aleecia]

E.g. Analytics.acme.com

17:47:27 [npdoty]

... 3) today we have the ability to provide an array of domain strings

17:47:33 [WileyS]

That doesn't exist in the real-world. Do you have a real-world example?

17:47:46 [npdoty]

... when I request an exception, I can say that it's for a certain domain

17:47:47 [aleecia]

It does -- apple

17:47:57 [npdoty]

... currently optional, has a huge amount of complexity

17:48:04 [ifette]

+1 to adrianba

17:48:11 [npdoty]

... Microsoft, since it's optional, would ignore

17:48:19 [rigo]

aleecia, all outreach measuring in Germany is done by ivwbox.journalxyz.de that reports to a common third party. So the third party uses a subdomain of the content provider

17:48:20 [WileyS]

Aleecia, are you saying there are locations where apple is being captured as a sub-domain on another 1st party site?

17:48:55 [npdoty]

... when your list changes, do you have to call it again with the full list? requires the site to manage complexity

17:49:07 [npdoty]

... would prefer to remove it completely

17:49:10 [dsinger]

hm, to adrian, it's optional on both sides, so if it's too complex for you on either side, don't use it. can you post your questions to the list?

17:49:11 [aleecia]

*.apple.com can cover third parties like google or adobe, who provide analytics

17:49:12 [Zakim]

+ +1.646.666.bbcc

17:49:21 [ifette]

q+

17:49:27 [npdoty]

... otherwise like the direction we're moving in

17:49:34 [aleecia]

We've covered this in compliance

17:49:40 [WileyS]

Aleecia, so are you saying there is a "google.apple.com" domain in the real-world?

17:49:49 [efelten_]

efelten_ has joined #dnt

17:49:49 [aleecia]

Yes

17:50:06 [Chapell]

Chapell has joined #DNT

17:50:15 [schunter]

q?

17:50:16 [WileyS]

David Singer - can you comment on Aleecia's claim? Is there a "google.apple.com" domain that your company current supports?

17:50:24 [dsinger]

I think anything that is x.apple.com is under a legal SP relationship with apple (I don't actually know for certain)

17:50:26 [npdoty]

ack npdoty

17:50:26 [Zakim]

npdoty, you wanted to note that it's good that there are no UI requirements (but sync/async)

17:50:31 [susanisrael]

scribenick: susanisrael

17:50:37 [johnsimpson]

q?

17:50:47 [rigo]

WileyS: see my example, this is the way outreach is measured in Germany

17:50:58 [schunter]

Questions that are open:

17:51:04 [schunter]

- exact set of JS APIs

17:51:06 [WileyS]

Aleecia, so if its a service provider, is that okay to you that exceptions to the host domain cover their service providers as well?

17:51:09 [schunter]

- Sync vs async APIs

17:51:14 [susanisrael]

npdoty: i appreciated that when david integrated this he eliminated ui requirements, but making api synchronous demands that user not show interactive ui and don't know why we would foreclose

17:51:15 [schunter]

- Handling of subdomains

17:51:32 [WileyS]

Rigo, I'm very familar with Germany's approach - but I don't believe that's what is being discussed here.

17:51:34 [aleecia]

What I'm saying is, let's not break that as possible, and also not rely on *.foo.com all being foo

17:51:36 [dsinger]

the user agent is no longer *required* to confirm; it still may

17:51:42 [susanisrael]

....i think this is worse than old approach since user will no longer be confirning that user wants to send dnt 0.

17:51:58 [susanisrael]

.....i think it would cast doubt on what dnt 0 means

17:52:06 [schunter]

q?

17:52:06 [WileyS]

Aleecia, as a company that would like to actually implement the W3C's version of DNT, I believe *.domain.com is going to be necessary.

17:52:12 [schunter]

ack ifette

17:52:19 [fielding]

aleecia, if service providers are considered third parties, there is no incentive for siloing data by first party

17:52:21 [susanisrael]

*nick should i continue or are you scribing again?

17:52:41 [susanisrael]

ifette: agree with adrian's 3 points...

17:53:08 [susanisrael]

...there is a general trend in new apis to try to get away from asynchronous apis which are more complex to implement

17:53:37 [susanisrael]

ifette: if site is confirming, browser should store, no reason to be asynchronous.

17:53:57 [schunter]

q+

17:54:12 [dsinger]

q+

17:54:13 [WileyS]

+1 to Ian on site driven exception process (default)

17:54:26 [susanisrael]

ifette: think we need to keep it as model where site asks on its own real estate and explains why it is asking exception. no tsaying browsers can't confirm but don' thave to. synchronous api makes more sense

17:54:27 [schunter]

Opinion/Question: The DNT header is the only normative transmission mechanism for DNT;0 (i.e., the values returned by JS are only indicative)

17:54:33 [rigo]

I agree with Nick that a specification should not foreclose the browser confirming the storage of an exception

17:54:39 [npdoty]

it wouldn't just be the default though, it would make it impractical to implement a UI that confirmed

17:54:57 [aleecia]

I'm not sure we ought ask for reimplementations, Roy, but if you think your customers are up for it, you'd know better than I do. Is google also in? If we add "everything under *.acme must be acme," I'm fine

17:55:05 [susanisrael]

mattias: i think whatever comes back from javascript just responses on whether script was received. permission management is only about values you may or may not send.

17:55:23 [aleecia]

That would simplify a lot of problems

17:55:35 [tlr]

I'd expect objections against that from a lot of corners.

17:55:47 [dsinger]

q?

17:55:53 [dsinger]

ack schunter

17:55:54 [schunter]

ack schunter

17:55:55 [susanisrael]

....i would go for synchronous too

17:55:56 [schunter]

ack dsinger

17:56:01 [aleecia]

Then expect me to object to treating *.acme as axiomatically first party

dsinger: i think synchronous ok but harder for UA to confirm what user wants to do.

17:56:22 [npdoty]

q+

17:56:32 [aleecia]

(cannot understand david)

17:56:49 [susanisrael]

....if really anal about it could hold request while confirms with user but doesn't mean api must be aynchronous.

17:56:58 [WileyS]

David - are you speaking on a speaker phone? Hard to hear you clearly...

17:57:03 [fielding]

s/aleccia/aleecia/

17:57:05 [aleecia]

We've discussed this at length, months ago. My info comes from this grou

17:57:05 [susanisrael]

dsinger: leads to complication for browser

17:57:05 [schunter]

David says that user agent can reconfirm with user before actually acting on a JS request from a site. Thus sync API should be OK.

17:57:31 [susanisrael]

* thanks schunter

17:57:44 [dwainberg]

I'm having a very hard time understanding david

17:57:51 [susanisrael]

dsinger: if too complicated for browser to implement don't do it

17:58:01 [susanisrael]

hard to understand dsinger--voice is muffled

17:58:05 [aleecia]

And I'm not sure why you think ownership is irrelevant... But I suspect we're into a very different discussion there

17:58:19 [schunter]

[this comment was for aiming at the explicit/explicit lists: they are optional on both sides]

17:58:28 [schunter]

q?

17:58:32 [aleecia]

If *.foo is not always foo, but we treat it as if it is, we're failing

17:58:35 [schunter]

ack npdoty

17:58:44 [susanisrael]

dsinger: could lead to users declining. understand caution about requiring browser confirmation but should permit it

17:58:57 [johnsimpson]

Cannot understand David

17:58:59 [Zakim]

-DAvid

17:59:18 [susanisrael]

npdoty: will try to respond to dsinger and repeat some

17:59:28 [aleecia]

The only way out of that is to put all liability on the first party, but that's not going to happen.

17:59:49 [ifette]

?!?!?!

17:59:49 [susanisrael]

....1> synchronous version of api ok bc if browser wants to confirm could do after and revoke if necessary

17:59:55 [ifette]

so you lie to the site?

17:59:57 [ifette]

that's nuts

18:00:03 [WileyS]

Aleecia, if a domain holder claims *.domain.com as their own, then I think we're on the same page. A domain holder should not request a full *.domain.com exception if they don't manage all the sub-domains associated with the core domain.

18:00:03 [aleecia]

What?

18:00:03 [susanisrael]

npdoty: preferable

18:00:05 [ifette]

"Yes, I have stored your request, but not really"

18:00:30 [schunter]

semantics: "Yes, I received your request and I started processing it".

18:00:47 [schunter]

"once the processing is completed, I will act on the outcome"

18:00:49 [susanisrael]

npdoty: other reason for specific lists is that user might not approve request that would cover all trackers.

18:01:02 [susanisrael]

....this was way to get more users to grant exceptions.

18:01:11 [kj]

kj has joined #dnt

18:01:19 [susanisrael]

...if ua not the one requesting exception then maybe thats not relevant

18:01:21 [fielding]

aleecia, control is the relevant issue -- the domain ownership has no relation to the companies that touch data via that domain. The only thing ownership states is who can map the address to a new destination.

18:01:38 [tlr]

fielding has it exactly right

18:01:47 [Zakim]

+DAvid

18:01:50 [npdoty]

the http cookie spec doesn't demand that the UA store every cookie, does it?

18:02:27 [susanisrael]

schunter: would like to close this discuss, feeling we may have consensus. no strong objection to synchronous API. Nick should also check whether his semantics covered in spec. May create issue, post resolution then close again.

18:02:32 [dsinger]

suggest (a) make sure the spec. does not preclude 'pending' the request while getting confirmation (b) adding the 'does my exception stand' APIs

18:02:36 [ifette]

npdoty, if the cookie isn't stored then we see sites using other fingerprinting which is not really a practice we want to encourage

18:02:42 [dan_auerbach]

I'm still inclined to prefer async for reasons Nick notes, though as I understand David's point, that strikes me as a reasonable alternative